/etc/hosts.deny not blocking hosts from using NFS

m223464 · 05-01-2012, 10:29 AM

Hi,

I've trawled through the forum to see if this topic's been covered but can't find anything.

I'm trying to figure out how you deny particular hosts from mounting NFS mounts. Everything I've read online points to using hosts.deny for this type of security but I can't get it to work.

e.g.
server1 has nfs running with the following configuration, however server2 is still able to mount /data without any issue.

/etc/exports

Code:

/data *(ro)

/etc/hosts.deny

Code:

ALL:ALL

/etc/hosts.allow is empty

This config of hosts.deny is working for protocols such as ssh but not nfs.

Can anyone advise me why this isn't working or the correct method to restrict servers from access to NFS mounts.

thanks

Gareth

MensaWater · 05-01-2012, 01:55 PM

No. You use /etc/exports to say which hosts can mount. The way you have it setup all hosts can currently mount /data as a read only filesystem.

For example you could setup:
/directory 192.168.1.0/22(rw,no_root_squash,insecure) 10.0.4.5(rw,no_root_squash)

That would tell it to allow all hosts in the 192.168.1.0 subnet to mount with the options shown and also allow the host at 10.0.4.5 to mount with the options shown for it. No other host would be able to mount. Usually the list of hosts you want to allow is shorter than the list you don't want.

/etc/hosts.allow and /etc/hosts.deny are used for tcp wrappers and only applications that are tcp wrapper aware can use them.

If you type "man exports" you'll get more information about the structure of /etc/exports.

m223464 · 05-01-2012, 03:34 PM

Thanks for your explanation. I had checked the man page prior to posting but had read in various articles online that hosts.allow/deny and exports were related.

chrism01 · 05-10-2012, 08:54 PM

As per MensaWater, you start by restricting what is exported to whom in the NFS exports file.

You may(!) want to fine tune that by restricting the portmap daemon via tcp wrappers http://www.linuxtopia.org/online_boo...appers-purpose.

Note that NFSv4 does not use portmap, so if using that, check whether it uses tcp wrappers (ie hosts.allow, hosts.deny) using the technique here http://www.linuxtopia.org/online_boo...d-TCP_Wrappers.

Alternately, there's always iptables ...